migrating from OpsenSSL 1.1.1t to 3.0.10

Matthias Apitz guru at unixarea.de
Mon Sep 11 09:43:13 UTC 2023 

Hello,

We have a lot of own C/C++ written servers, compiled and linked against
libcrypto.1.1 and libssl.1.1:

# ls -l /usr/local/sisis-pap/lib/libssl* /usr/local/sisis-pap/lib/libcry*
-rw-r--r-- 1 bin  bin  5072394 Jun 16 09:02 /usr/local/sisis-pap/lib/libcrypto.a
lrwxrwxrwx 1 root root      16 Jun 16 09:08 /usr/local/sisis-pap/lib/libcrypto.so -> libcrypto.so.1.1
-rwxr-xr-x 1 bin  bin  3002744 Jun 16 09:08 /usr/local/sisis-pap/lib/libcrypto.so.1.1
-rw-r--r-- 1 bin  bin  1029426 Jun 16 09:02 /usr/local/sisis-pap/lib/libssl.a
lrwxrwxrwx 1 root root      13 Jun 16 09:08 /usr/local/sisis-pap/lib/libssl.so -> libssl.so.1.1
-rwxr-xr-x 1 bin  bin   697248 Jun 16 09:08 /usr/local/sisis-pap/lib/libssl.so.1.1

These servers are our own application servers, but also for example the
PostgreSQL server (also compiled from source).

So far so good.

Now with the announced EOL of 1.1.1 I compiled OpenSSL 3.0.10 which gave
in a new target directoy the following libs:

# ls -l /usr/local/sisis-pap-ssl30/lib/libssl* /usr/local/sisis-pap-ssl30/lib/libcry*
-rw-r--r-- 1 root root 8975888 Sep 11 08:38 /usr/local/sisis-pap-ssl30/lib/libcrypto.a
lrwxrwxrwx 1 root root      14 Sep 11 08:38 /usr/local/sisis-pap-ssl30/lib/libcrypto.so -> libcrypto.so.3
-rwxr-xr-x 1 root root 4962368 Sep 11 08:38 /usr/local/sisis-pap-ssl30/lib/libcrypto.so.3
-rw-r--r-- 1 root root 1253636 Sep 11 08:38 /usr/local/sisis-pap-ssl30/lib/libssl.a
lrwxrwxrwx 1 root root      11 Sep 11 08:38 /usr/local/sisis-pap-ssl30/lib/libssl.so -> libssl.so.3
-rwxr-xr-x 1 root root  803008 Sep 11 08:38 /usr/local/sisis-pap-ssl30/lib/libssl.so.3

To make the existing servers happy, it does not help to change the
LD_LIBRARY_PATH to get the 3.0.10 libs in front of the old 1.1.1t libs
and also making sym links like:

lrwxrwxrwx 1 root root      45 Sep 11 11:11 /usr/local/sisis-pap-ssl30/lib/libcrypto.so.1.1 -> /usr/local/sisis-pap-ssl30/lib/libcrypto.so.3
lrwxrwxrwx 1 root root      42 Sep 11 11:12 /usr/local/sisis-pap-ssl30/lib/libssl.so.1.1 -> /usr/local/sisis-pap-ssl30/lib/libssl.so.3

will not help, because the server (here the PostgreSQL server) is
missing old symbols in the new 3.0.10 shared libs:

# /etc/init.d/postgres.ssl30 start
/usr/local/sisis-pap/pgsql-15.1/bin/postmaster: /usr/local/sisis-pap-ssl30/lib/libssl.so.1.1: version `OPENSSL_1_1_0' not found (required by /usr/local/sisis-pap/pgsql-15.1/bin/postmaster)
/usr/local/sisis-pap/pgsql-15.1/bin/postmaster: /usr/local/sisis-pap-ssl30/lib/libcrypto.so.1.1: version `OPENSSL_1_1_0' not found (required by /usr/local/sisis-pap/pgsql-15.1/bin/postmaster)
        libssl.so.1.1 => /usr/local/sisis-pap-ssl30/lib/libssl.so.1.1 (0x00007fb9b5046000)
        libcrypto.so.1.1 => /usr/local/sisis-pap-ssl30/lib/libcrypto.so.1.1 (0x00007fb9b4c2f000)
Starting PostgreSQL: su: cannot open session: Module is unknown

This matches what is expressed in the migration guide:
https://www.openssl.org/docs/man3.1/man7/migration_guide.html
...
OpenSSL 3.0 is a major release and consequently any application that
currently uses an older version of OpenSSL will at the very least need
to be recompiled in order to work with the new version.
...

Thanks

	matthias


-- 
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

More information about the openssl-users mailing list